- The EU AI Act’s core provisions are now in force. If your business uses AI tools — even third-party SaaS tools — you likely have obligations.
- SMBs are not exempt. “We’re too small” is not a defence. “We didn’t build the AI” is not a full defence either.
- The seven actions below are sequenced: do them in order and you will have a defensible compliance posture before enforcement attention arrives.
- Fines can reach €15 million or 3% of global annual turnover for violations related to high-risk AI systems.
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, with provisions rolling in on a staggered schedule. The prohibition on unacceptable-risk AI systems applied from 2 February 2025. Obligations for high-risk AI systems under Annex I applied from 2 August 2025. General-purpose AI model requirements came into effect the same date. The remaining high-risk provisions under Annex III apply from 2 August 2026.
If you have been waiting to act until enforcement “gets real,” enforcement is real now. National market surveillance authorities across EU member states are actively building their AI oversight infrastructure. The UK is watching and its AI liability framework is following a parallel path. If your business serves EU clients or uses AI systems deployed by EU-headquartered providers, you are in scope.
The common mistake among SMBs is to assume the AI Act is about AI companies — the developers of large language models, computer vision systems, and autonomous decision engines. It is not only about them. It is also about every business that deploys those systems, which in the Act’s language makes you a deployer. As a deployer, you have real obligations, and ignoring them does not make you exempt.
Who counts as a deployer? Under Article 3(4) of the AI Act, a deployer is any natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity. If you use an AI-powered document review tool, an AI screening system, an AI chatbot that handles client queries, or an AI risk scoring tool — you are a deployer. The fact that you purchased it from a vendor does not eliminate your deployer obligations.
Understanding the risk tiers before you act
The AI Act structures obligations around four risk categories. Knowing where your AI systems sit determines what you must do.
Unacceptable risk — banned
AI systems that manipulate persons exploiting vulnerabilities, real-time remote biometric surveillance in public spaces, social scoring by public authorities. Banned entirely since February 2025. No business justification permits these.
High risk — heavy obligations
AI used in regulated sectors: credit scoring, employment decisions, KYC/AML screening, legal assistance affecting rights, insurance risk assessment. Full compliance obligations: conformity assessment, documentation, human oversight, logging, registration in the EU AI database.
Limited risk — transparency duties
Chatbots, deepfakes, emotion recognition systems. Must disclose AI involvement to users. You cannot deploy a chatbot that presents itself as human without disclosure. Content generated by AI that could be mistaken as real must be labelled.
Minimal risk — no mandatory obligations
AI spam filters, AI-powered search recommendations, most productivity AI. No specific legal obligations under the Act, though codes of conduct are encouraged. Most AI-assisted drafting tools fall here — for now.
Most SMBs in professional services will be primarily concerned with the high-risk and limited-risk tiers. If you use AI for anything that influences decisions about people — creditworthiness, eligibility, risk scoring, employment — assume high-risk obligations apply until you have documented otherwise.
1. Classify every AI system your business uses
You cannot manage what you have not mapped. The first action is to produce an inventory of every AI system your business uses, regardless of whether you built it or bought it. This includes: AI features embedded in tools you use for other purposes (e.g., AI risk scoring built into your KYC software), AI-powered workflow automation, AI-generated content tools, and any AI that influences a decision affecting a person.
For each system, record: the vendor and product name, what the AI does within your workflow, what decisions it influences or automates, whether it processes personal data, and whether the output affects a natural person’s rights or interests. This inventory is the foundation of everything that follows. Without it, you cannot classify, document, or control your AI use.
In practice, most SMBs discover they use more AI than they think. Tools that advertised as “smart” or “automated” three years ago have quietly become AI-powered. Check the product documentation for every SaaS tool in your stack.
2. Document your use cases for each AI system
Once you have your inventory, document the specific use case for each system. Article 29 of the AI Act requires deployers to use high-risk AI systems in accordance with the instructions for use provided by the provider — and to implement appropriate technical and organisational measures to ensure they do so. You cannot comply with this obligation without knowing, in writing, what you are using each system for.
Your use case documentation should capture: the business purpose of the AI system, the input data it processes, the output it generates, who reviews the output before action is taken, and what the consequences are if the AI produces an incorrect result. For high-risk systems, this documentation forms part of your technical documentation obligation under Article 13.
Keep this documentation in a version-controlled register. When the use case changes — when you expand a tool to a new workflow, or when a vendor updates its AI model — update the register. Regulators will want to see that you tracked changes, not just the initial state.
3. Check your AI vendor’s compliance status
As a deployer, you are entitled to rely on the provider’s compliance with their obligations under the AI Act — but only if you actually verify that compliance. Silence from a vendor is not an assurance. Article 13 requires providers to supply deployers with instructions for use that include sufficient information to implement the system in compliance. If your vendor has not provided this, ask for it. If they cannot provide it, that is a risk signal.
Specifically, ask your AI vendors: Is this system classified as high-risk under the EU AI Act? Has a conformity assessment been completed? Is it registered in the EU AI database? What instructions for use have you provided, and where are they? What logging and monitoring capabilities does the system have?
Document the responses. If a vendor is evasive or cannot answer these questions, factor that into your risk assessment. Deployers who continue using non-compliant AI systems after becoming aware of the non-compliance face their own enforcement exposure.
4. Update your privacy notices to cover AI
If an AI system processes personal data — and most do — your GDPR privacy notice needs to reflect that. Under GDPR Article 13/14, individuals have a right to know when their data is processed for automated decision-making, what logic is involved, and what the significance of that processing is for them. The AI Act compounds this: Article 50 requires disclosure when AI is used in certain contexts regardless of whether personal data is involved.
Review your privacy notice against your AI inventory. For each AI system that processes personal data, add a section explaining: what AI processing occurs, the categories of data involved, the purpose, and the human oversight in place. If your AI screening tool scores individuals for risk, that scoring needs to be disclosed. If your AI chatbot handles client queries and processes personal data in doing so, that needs to be disclosed.
This is not a theoretical concern. A privacy notice that describes “automated processing” in generic terms is increasingly insufficient. Data protection authorities are beginning to require specificity about AI systems in privacy documentation.
5. Train your staff on AI use and its limits
Article 29(4) of the AI Act requires deployers to ensure that persons assigned to operate high-risk AI systems have the necessary competence, training, and authority to do so, and in particular to properly implement human oversight. “We showed them how to use the tool” is not training in the sense the Act requires.
Training for AI oversight should cover: what the AI system does and does not do, the types of errors it is known to make, how to identify outputs that warrant additional scrutiny, what escalation path to follow when an AI output is disputed, and how to document an instance where a human override of an AI recommendation was made. This last point is particularly important — the override and the reason for it should be logged.
Keep training records. Date them. When you update an AI tool or add a new one, run a refresher. For regulated firms — financial services, legal, accounting — AI literacy training is rapidly becoming an expectation from professional body regulators as well as from the AI Act itself.
6. Establish human oversight for every high-risk AI decision
Human oversight is not a checkbox. It is a process design requirement. Article 14 of the AI Act requires that high-risk AI systems be designed and deployed in such a way that human natural persons can effectively oversee them during their use — which means the oversight must be meaningful, not nominal.
In practice, this means: no fully automated decision that affects a person’s legal or similarly significant interests without a human review step. That review step must be documented. The reviewer must have access to the information needed to make a genuine assessment — not just the AI’s output, but sufficient context to evaluate it. And the reviewer must have the authority to override the AI recommendation without penalty.
If your current workflows route AI outputs straight to action without a documented human review step, that is a gap that needs to be closed before your next audit or regulator interaction. Map each high-risk AI workflow and identify where the human decision point sits. If it is implicit or informal, make it explicit and documented.
7. Prepare your documentation package for audit
Regulators conducting AI Act oversight will want to see documentation. Preparing it reactively after a request arrives is both stressful and less convincing than having it maintained proactively. The documentation package for each high-risk AI system should include: the use case description, the vendor compliance status, the technical documentation (or a summary if the full document is vendor-proprietary), your training records, your human oversight workflow, your incident log (including any AI errors and how they were handled), and your data protection impact assessment if personal data is involved.
This does not need to be a hundred-page binder. A well-organised record for each AI system — covering the points above, updated when the system or its use changes — is what a credible compliance posture looks like for an SMB. It demonstrates that you have thought about the risks, not just hoped the regulators would not notice.
Proportionality applies: The AI Act explicitly recognises that compliance obligations should be proportionate to the size and nature of the deployer. SMBs are not expected to maintain the same infrastructure as a large financial institution. But proportionality is not zero obligation — it means your documentation and processes should be appropriately robust for the scale and risk of your AI use. A one-person consultancy using AI to draft proposals has different obligations than a 50-person firm using AI to screen mortgage applications.
The enforcement timeline: when does this get real?
Unacceptable-risk AI banned. No business justification exemption. Enforcement is active.
High-risk AI obligations (Annex I) and GPAI model requirements in force. Conformity assessments, technical documentation, and human oversight requirements apply.
High-risk AI obligations (Annex III) apply. Covers AI in employment, credit, education, essential services, law enforcement, migration, justice, and democratic processes. Most SMBs in professional services are in scope for at least one of these.
Existing high-risk AI systems placed on market before August 2026 must comply. Grandfathered systems lose their grace period. This is when legacy tools your firm has been running for years come into scope.
The pace of AI adoption in professional services is accelerating. The pace of regulatory oversight of that adoption is accelerating alongside it. The firms that will be in the weakest position in 2027 are the ones that have been adding AI tools steadily without building the governance layer to match. The seven steps above are that governance layer — sequenced to be achievable without a dedicated compliance team.
AI governance built into your client operations platform
HubSecure helps regulated teams manage AI use with audit trails, human oversight workflows, and documentation that satisfies both the EU AI Act and your sector regulator — without a compliance department.
Reserve your founding seat